ci: add workflow to sync with upstream daily

This workflow runs the following steps daily:

* Pull tags from upstream;
* Rebase the default branch onto the latest tag for the current Fedora
  version;
* Push the changes to the default branch, including tags.

If the rebase encounters conflicts, the job will abort and conflicts
will need to be resolved manually.

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>

Author: HastD

.github/workflows/upstream-sync.yml

@@ -30,7 +30,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          persist-credentials: true
+          persist-credentials: true # zizmor: ignore[artipacked]
           fetch-depth: 0
 
       - name: Pull tags from upstream and rebase
@@ -39,7 +39,7 @@ jobs:
           FEDORA_VERSION: 42
         run: |
           git remote add 'upstream' 'https://github.com/fedora-selinux/selinux-policy.git'
-          git fetch --tags upstream
+          git fetch --tags 'upstream'
           latest_tag=$(git tag -l "v${FEDORA_VERSION}.*" --sort='-creatordate' | head -n1)
           git rebase "${latest_tag}"
           git push --follow-tags --force-with-lease